This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Android Factory Reset Leaves Your Data Exposed: Study

Flaws in Google's Android operating system mean the factory-reset option is unlikely to permanently wipe all your data -- or master token -- from the device.

9 iOS, Android Apps to Boost Productivity

(Click image for larger view and slideshow.)

A burgeoning market in refurbished smartphones can help offset the cost of new devices for you or your employees. But you may want to think twice before letting any of the Android smartphone users in your organization turn their old mobile devices over to the reseller market.

A study conducted by two Cambridge University students examined 21 secondhand devices from five different manufacturers running Android OS versions 2.3 to 4.3 that had been wiped using the built-in factory reset. Despite the factory reset, the researchers were able to recover the master token in 80% of the devices, from which they could successfully re-synchronize contacts, emails, and other data.

To improve usability and user engagement, most smartphone apps replace passwords with authentication tokens the first time a user enters his password. After the first password-based authentication, users are automatically logged in with the authentication token. Emails can be retrieved, calendar notifications downloaded, etc., without user intervention.

These tokens are often stored on non-volatile flash storage on the data partition, and their continued presence suggests that consumers will remain exposed to ineffectual data wipes for the foreseeable future.

The team found that viable alternatives to a factory reset for devices running Google's Android OS each possess certain drawbacks. One such option involved filling up the partition of interest with random-byte files. This alternative was discarded by the researchers because it uses the file system rather than direct flash access, and adds another layer of uncertainty. "Overwriting the entire partition bit-by-bit once did provide logical sanitization for all devices and all partitions we studied; it is therefore a reliable alternative," the report noted. "The drawback of this method is that it requires privileged [root] access to devices in practice. Therefore, it is likely to put off ordinary users."

The report noted enabling Full Disk Encryption (FDE) on first use of the device would be more appropriate for ordinary users, if devices support it.

The study follows a similar report from the same research team, which revealed the same flaws in third-party anti-theft apps with remote wipe and remote lock functions. "Mobile OS architectures leave third-party security apps little leeway to improve built-in Factory Resets, therefore mobile anti-virus [MAV] remote wipe functions are not an alternative to a flawed built-in Factory Reset," the report noted. "We conclude the only viable solutions are those driven by vendors themselves."

A February 2015 survey of more than 5,600 U.S. and Germany consumers conduced by IT research firm Gartner found 60% of consumers are replacing their smartphones because they are interested in additional functionality, or they "just want" a new device. Consequently, the worldwide market for refurbished phones that are sold to end-users will grow to 120 million units by 2017, with an equivalent wholesale revenue of around $14 billion.

In North America and Western Europe, the market for refurbished phones is forecast to be worth around $3 billion in 2015 and growing to $5 billion in 2017, the Gartner report projected.

[Did you miss any of the InformationWeek Conference in Las Vegas last month? Don't worry: We have you covered. Check out what our speakers had to say and see tweets from the show. Let's keep the conversation going.]

Nathan Eddy is a freelance writer for InformationWeek. He has written for Popular Mechanics, Sales & Marketing Management Magazine, FierceMarkets, and CRN, among others. In 2012 he made his first documentary film, The Absent Column. He currently lives in Berlin. View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.

Wow, that is very unsettling to me. It makes me rather dispose of my phone all together, than have it refurbished with such a breach. I wouldn't want anyone else to be able to access anything from my old phone.

Did they try setting up the device for encryption? The one concern I would have with that is whether the person logged onto the device before encrypting it, leaving the original keys in place until they are fortuitiously deleted at some random time in the future. Similar problems exist with all flash devices, including USB keys and SSD. Unless the drive is configured with full disk encryption, the data is available until that section of flash is erased. Because of flash overprovisioning, it's not possible to determine when that happens, although it may or may not be readable through the normal interface. I recently looked up SSD forensics, and it's amazing what can be retrieved, especially by dedicated parties who are willing to access the flash device directly.